From 269993a264aed9a8ff1ac8d7be7444e0c3eff1fd Mon Sep 17 00:00:00 2001 From: Brendan Galloway Date: Thu, 5 Feb 2026 15:02:46 +0200 Subject: [PATCH 1/4] feat: add gateway handling to sefaria helm chart --- .../sefaria/templates/gateway/gateway.yaml | 61 +++++++++++++++++++ .../sefaria/templates/gateway/httproute.yaml | 35 +++++++++++ helm-chart/sefaria/templates/ingress.yaml | 2 + helm-chart/sefaria/values.yaml | 9 +++ 4 files changed, 107 insertions(+) create mode 100644 helm-chart/sefaria/templates/gateway/gateway.yaml create mode 100644 helm-chart/sefaria/templates/gateway/httproute.yaml diff --git a/helm-chart/sefaria/templates/gateway/gateway.yaml b/helm-chart/sefaria/templates/gateway/gateway.yaml new file mode 100644 index 0000000000..4e7c3b67b0 --- /dev/null +++ b/helm-chart/sefaria/templates/gateway/gateway.yaml @@ -0,0 +1,61 @@ +{{- if .Values.gateway.enabled }} +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: +metadata: + name: {{ .Values.deployEnv }} + labels: + {{- include "sefaria.labels" . | nindent 4 }} + annotations: {{ .Values.gateway.annotations | toYaml | nindent 4 }} +spec: + gatewayClassName: {{ .Values.gateway.className }} + listeners: + - name: http + protocol: HTTP + port: 80 + {{- range .Values.domains.root }} + {{- $code := .code }} + {{- if kindIs "slice" $code }} + {{- $code = index $code 0 }} + {{- end }} + {{- $rootDomain := tpl .url $ | quote | trimAll "\"" }} + {{- $wwwDomain := printf "www.%s" $rootDomain }} + {{- $secretName := tpl .cert $ | default ( printf "origin-%s-$s-tls" $.Values.deployEnv $code ) }} + - name: https-{{ $code }} + protocol: HTTPS + port: 443 + hostname: {{ $rootDomain }} + tls: + mode: Terminate + certificateRefs: + - kind: Secret + group: "" + name: {{ $secretName }} + - name: https-www-{{ $code }} + protocol: HTTPS + port: 443 + hostname: {{ $wwwDomain }} + tls: + mode: Terminate + certificateRefs: + - kind: Secret + group: "" + name: {{ $secretName }} + {{- range $.Values.domains.modules }} + {{- $subdomain := index .subdomains $code }} + {{- if $subdomain }} + - name: https-{{ $subdomain }}-{{ $code }} + protocol: HTTPS + port: 443 + {{- $subdomain := printf "%s.%s" $subdomain $rootDomain }} + hostname: {{ $subdomain }} + tls: + mode: Terminate + certificateRefs: + - kind: Secret + group: "" + name: {{ $secretName }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/helm-chart/sefaria/templates/gateway/httproute.yaml b/helm-chart/sefaria/templates/gateway/httproute.yaml new file mode 100644 index 0000000000..4883d7d60c --- /dev/null +++ b/helm-chart/sefaria/templates/gateway/httproute.yaml @@ -0,0 +1,35 @@ +{{- if .Values.gateway.enabled }} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ .Values.deployEnv }} +spec: + parentRefs: + - name: {{ .Values.deployEnv }} + hostnames: + {{- range .Values.domains.root }} + {{- $code := .code }} + {{- if kindIs "slice" $code }} + {{- $code = index $code 0 }} + {{- end }} + {{- $rootDomain := tpl .url $ | quote | trimAll "\"" }} + {{- $wwwDomain := printf "www.%s" $rootDomain }} + - {{ $rootDomain }} + - {{ $wwwDomain }} + {{- range $.Values.domains.modules }} + {{- $subdomain := index .subdomains $code }} + {{- if $subdomain }} + {{- $subdomain := printf "%s.%s" $subdomain $rootDomain }} + - {{ $subdomain }} + {{- end }} + {{- end }} + {{- end }} + rules: + - backendRefs: + - name: nginx-{{ $.Values.deployEnv }} + port: 80 + matches: + - path: + type: PathPrefix + value: / +{{- end }} diff --git a/helm-chart/sefaria/templates/ingress.yaml b/helm-chart/sefaria/templates/ingress.yaml index 01f9965f19..9f5944dbdf 100644 --- a/helm-chart/sefaria/templates/ingress.yaml +++ b/helm-chart/sefaria/templates/ingress.yaml @@ -1,3 +1,4 @@ +{{- if .Values.ingress.enabled }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -75,3 +76,4 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/helm-chart/sefaria/values.yaml b/helm-chart/sefaria/values.yaml index dd2fcd9af8..58538372b0 100644 --- a/helm-chart/sefaria/values.yaml +++ b/helm-chart/sefaria/values.yaml @@ -266,6 +266,15 @@ domains: - collections - profile +ingress: + enabled: true + +gateway: + enabled: false + className: envoy + annotations: + cert-manager.io/cluster-issuer: ingress-ca + nginx: containerImage: # Full path of the image registry inclusive of the image name From f7173faad97b939ddedf5854309bf3b57d137eb6 Mon Sep 17 00:00:00 2001 From: Brendan Galloway Date: Mon, 9 Feb 2026 11:35:52 +0200 Subject: [PATCH 2/4] fix: duplicate key in gateway spec --- helm-chart/sefaria/templates/gateway/gateway.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/helm-chart/sefaria/templates/gateway/gateway.yaml b/helm-chart/sefaria/templates/gateway/gateway.yaml index 4e7c3b67b0..e521c604c1 100644 --- a/helm-chart/sefaria/templates/gateway/gateway.yaml +++ b/helm-chart/sefaria/templates/gateway/gateway.yaml @@ -1,7 +1,6 @@ {{- if .Values.gateway.enabled }} apiVersion: gateway.networking.k8s.io/v1 kind: Gateway -metadata: metadata: name: {{ .Values.deployEnv }} labels: From 625ac78cc306fbdea08b7c23d9d1fa0bec75b19a Mon Sep 17 00:00:00 2001 From: Brendan Galloway Date: Mon, 9 Feb 2026 11:50:57 +0200 Subject: [PATCH 3/4] fix: explicitly allow connection coalescing --- .../templates/gateway/clienttrafficpolicy.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 helm-chart/sefaria/templates/gateway/clienttrafficpolicy.yaml diff --git a/helm-chart/sefaria/templates/gateway/clienttrafficpolicy.yaml b/helm-chart/sefaria/templates/gateway/clienttrafficpolicy.yaml new file mode 100644 index 0000000000..b0c88cd9f4 --- /dev/null +++ b/helm-chart/sefaria/templates/gateway/clienttrafficpolicy.yaml @@ -0,0 +1,15 @@ +{{- if .Values.gateway.enabled }} +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: ClientTrafficPolicy +metadata: + name: {{ .Values.deployEnv }} +spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: {{ .Values.deployEnv }} + alpn: + protocols: + - h2 + - http/1.1 +{{- end }} From db25cd6c15c60e92d0425ca73bd92574f7ee5b54 Mon Sep 17 00:00:00 2001 From: Brendan Galloway Date: Tue, 10 Feb 2026 11:34:26 +0200 Subject: [PATCH 4/4] fix: labelling and cert name typo --- helm-chart/sefaria/templates/gateway/clienttrafficpolicy.yaml | 2 ++ helm-chart/sefaria/templates/gateway/gateway.yaml | 2 +- helm-chart/sefaria/templates/gateway/httproute.yaml | 2 ++ helm-chart/sefaria/templates/ingress.yaml | 2 +- 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/helm-chart/sefaria/templates/gateway/clienttrafficpolicy.yaml b/helm-chart/sefaria/templates/gateway/clienttrafficpolicy.yaml index b0c88cd9f4..e8674204aa 100644 --- a/helm-chart/sefaria/templates/gateway/clienttrafficpolicy.yaml +++ b/helm-chart/sefaria/templates/gateway/clienttrafficpolicy.yaml @@ -3,6 +3,8 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: ClientTrafficPolicy metadata: name: {{ .Values.deployEnv }} + labels: + {{- include "sefaria.labels" . | nindent 4 }} spec: targetRef: group: gateway.networking.k8s.io diff --git a/helm-chart/sefaria/templates/gateway/gateway.yaml b/helm-chart/sefaria/templates/gateway/gateway.yaml index e521c604c1..89bc81ab5f 100644 --- a/helm-chart/sefaria/templates/gateway/gateway.yaml +++ b/helm-chart/sefaria/templates/gateway/gateway.yaml @@ -19,7 +19,7 @@ spec: {{- end }} {{- $rootDomain := tpl .url $ | quote | trimAll "\"" }} {{- $wwwDomain := printf "www.%s" $rootDomain }} - {{- $secretName := tpl .cert $ | default ( printf "origin-%s-$s-tls" $.Values.deployEnv $code ) }} + {{- $secretName := tpl .cert $ | default ( printf "origin-%s-%s-tls" $.Values.deployEnv $code ) }} - name: https-{{ $code }} protocol: HTTPS port: 443 diff --git a/helm-chart/sefaria/templates/gateway/httproute.yaml b/helm-chart/sefaria/templates/gateway/httproute.yaml index 4883d7d60c..1106b9056c 100644 --- a/helm-chart/sefaria/templates/gateway/httproute.yaml +++ b/helm-chart/sefaria/templates/gateway/httproute.yaml @@ -3,6 +3,8 @@ apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: {{ .Values.deployEnv }} + labels: + {{- include "sefaria.labels" . | nindent 4 }} spec: parentRefs: - name: {{ .Values.deployEnv }} diff --git a/helm-chart/sefaria/templates/ingress.yaml b/helm-chart/sefaria/templates/ingress.yaml index 9f5944dbdf..3ba45f8118 100644 --- a/helm-chart/sefaria/templates/ingress.yaml +++ b/helm-chart/sefaria/templates/ingress.yaml @@ -22,7 +22,7 @@ spec: {{- end }} {{- $rootDomain := tpl .url $ | quote | trimAll "\"" }} {{- $wwwDomain := printf "www.%s" $rootDomain }} - - secretName: {{ tpl .cert $ | default ( printf "origin-%s-$s-tls" $.Values.deployEnv $code ) }} + - secretName: {{ tpl .cert $ | default ( printf "origin-%s-%s-tls" $.Values.deployEnv $code ) }} hosts: - {{ $rootDomain }} - {{ $wwwDomain }}